This thesis would not have been possible with out the constant support and encouragement I received from my academic advisor, Dr. Michael Rothstein. From the first vague proposal of this topic to later queries on focus and connection, he was always eager to entertain my ideas and help me solve conceptual difficulties. I sincerely thank him for his consistent efforts and true desire to keep me on track.

I would also like to thank my committee members, Dr. Johnny Baker and Dr. Austin Melton for serving in my defense committee despite their overwhelmingly busy schedule.

Special thanks to the staff at the Kent State Department of Computer Science, in particular Marcy Curtiss who helped and encouraged me every step of the way during my time in the department.

Finally, I would like to express my deepest gratitude to my parents. Their support and unwavering confidence in my ability helped me achieve my academic dreams.

Any attempt to compromise the Confidentiality, Integrity, and Availability (CIA) of a resource can be categorized as Intrusion.

There is a growing need to ensure CIA of a resource and eliminate both internal and external system penetrators.

Effective way of achieving this is to utilize the concept of Intrusion Detection which is the process of gathering and analyzing Information to determine that the system has presence of intrusive activity.

-gt According to SNS any entity that originates from the organism will

not trigger an immune response, where as an entity that originates

outside of the organism will trigger an immune reaction

-gt Many immunologists questioning the legitimacy of the above

statement. (no immune reaction to the foreign bacteria in the gut

or in the food we eat although both originate from outside the

organism)

-gt Polly Matzinger introduced a new concept known as Danger

Theory (DT) that attempts to fill the gap left by the SNS theory.

43 Review of Existing Literature (Cont.)

-gt According to DT, immune response is triggered when diseased

cells that die unnaturally induces alarm signals.

-gt Alarm or danger signals are actually harmful toxins released by

cells in distress.

-gt Propagating signals create a danger zone around itself and only

antibodies within the range begin immune reaction.

-gt It is not the foreignness of an entity that triggers the immune

response by the actual level of danger itself.

44 Review of Existing Literature (Cont.)

-gt Computer Security experts are trying to implement this fascinating

philosophy in Intrusion Detection Systems.

-gt In the context of IDS, danger signals would be interpreted as

unusual memory usages, access of unauthorized files, intruder

presence, inappropriate disk activity and so forth.

-gt Generated alarm signals would be correlated with IDS alerts.

-gt Based on DT, alerts are classified as Apoptotic (normal) and

Necrotic (abnormal)

45 Review of Existing Literature (Cont.)

-gt It is believed that proper balancing of the two types of alerts would

result in a optimum sensor setting of threshold. This results in

reduced false alarms.

-gt Successful correlation of these alerts would then lead to

construction of an intrusion scenario.

-gt When IDS has strong indications of presence of intrusive activities

it can activate the sensors that are spatially, temporally or logically

near the original sensor emitting the danger signal (danger zone).

Propagation of these signals would enable the system to immune

itself from attacks.

46

SECTION 6 47 Concept of Danger Theory

Every cell in our body has a defined life cycle

-gt A beginning.

-gt An end.

Cells can die in two ways

-gt Necrosis (get killed accidentally by harmful

pathogens).

-gt Apoptosis or Programmed Cell Death ( process

of deliberate life relinquishment of a cell).

In the case of Apoptosis, the cells that undergo suicide, sends out signals to nearby scavenger cells (Phagocytes), which helps prevent the dying cell from releasing harmful toxins (intact cell membrane)

DT based IDS would focus on accurate classification, correlation and balancing of alerts.

Alerts classified as

-gt Apoptotic (prerequisite for an attack).

-gt Necrotic (consequence of a successful attack).

Relies on successful correlation of prerequisite and consequence of individual attacks to develop intrusion scenario.

In DT based alert correlation post-conditions of certain attacks can be used as precondition for other attacks (linking alerts). Hence, it is sufficient to specify properties such as prerequisites and consequences for individual attacks.

60 Application of DT to IDS (Cont. )

This enables identify missing alerts.

DT based IDS would minimize false alarms as it can quantify the degree of alert detection by appropriately tuning the intrusion signatures and anomaly thresholds.

Striking a balance between Apoptotic and Necrotic alerts would enable IDS to identify the most suitable intrusion signature and anomaly threshold setting.

Similar to memory cells in HIS, intrusion signatures and thresholds are continuously redefined as new attacks invade the system. This significantly increases the accuracy rate of the IDS.

61 Application of DT to IDS (Cont. )

When intrusion detection sensor identifies the presence of unauthorized activity, it raises an alert.

Danger alerts arising from one sensor can be transmitted to nearby sensors informing them of the intruder presence.

Alerts are propagated only if the probability of an intrusion scenario is higher than the threshold set.

Activation of nearby sensors establishes Danger Zone.

62

SECTION 8

63 EVENT-INCIDENT MODEL

Employs Intrusion Detection Squad (attack-resistance mobile agents)

-gt Assistant Patrol Agents.

-gt Incident Pattern Presenters.

-gt Correlator.

-gt Negotiator.

-gt Coordinator.

-gt Neutralizer.

Works with

-gt CIA Threshold Unit (Confidentiality, Integrity

Availability).

-gt Knowledge Database.

-gt Anomaly Signature Converter.

-gt Peer Information Buffer.

64 EVENT-INCIDENT MODEL (Cont.)

Architecture

-gt Peer-Peer.

Works at four levels

-gt Host level.

-gt Application level.

-gt Protocol level.

-gt Network level.

DT based Event-Incident Model for IDS is a Six Phase Process. Each phase denotes distinct sequence of events which leads to the progression to the next phase.

65 EVENT-INCIDENT MODEL (Cont.)

Recruitment (Phase One) Coordinator of the Intrusion Detection Squad responsible for recruitment of customized mobile agents. They generate two classes of agents for each of the four levels namely, Assistant Patrol Agents (APA) and Incident Pattern Presenters (IPP).

Dispersal (Phase Two) Coordinator sends agents to neighborhood patrol. When it receives the monitoring results from the agents, it communicates with Peer Information Buffer to decide whether an action plan is required.

Propagation (Phase Four) Coordinator activates the Neutralizer unit and starts to propagate the danger signal to all its neighbors upon confirming the presence of intrusion.

Neutralization (Phase Five) Neutralizer unit takes necessary steps (based on the type and severity of the attack) to immunize itself from the infected node.

Updating Knowledge Database (Phase Six) If the signature of the undergoing attack is not already saved, the coordinator feeds the detected anomaly to Anomaly Signature Converter unit to generate a signature. After this the knowledge database is updated.

24. Matzinger, P. 2005. The Real Function of the Immune System or Tolerance and the Four Ds (Danger, Death, Distruction and Distress)lthttp//cmmg.biosci.wayne.edu/asg/polly.htmlgt Accessed December 4, 2006

33. Kephart, J.O.A Biologically Inspired Immune Systems for Computers, In the Proceedings of the Fourth International Workshop on Synthesis and Simulation of Living Systems, MIT Press, Pages 130-139, Cambridge, MA, 1994

PowerShow.com is a leading presentation/slideshow sharing website. Whether your application is business, how-to, education, medicine, school, church, sales, marketing, online training or just for fun, PowerShow.com is a great resource. And, best of all, most of its cool features are free and easy to use.

You can use PowerShow.com to find and download example online PowerPoint ppt presentations on just about any topic you can imagine so you can learn how to improve your own slides and
presentations for free. Or use it to find and download high-quality how-to PowerPoint ppt presentations with illustrated or animated slides that will teach you how to do something new, also for free. Or use it to upload your own PowerPoint slides so you can share them with your teachers, class, students, bosses, employees, customers, potential investors or the world. Or use it to create really cool photo slideshows - with 2D and 3D transitions, animation, and your choice of music - that you can share with your Facebook friends or Google+ circles. That's all free as well!

For a small fee you can get the industry's best online privacy or publicly promote your presentations and slide shows with top rankings. But aside from that it's free. We'll even convert your presentations and slide shows into the universal Flash format with all their original multimedia glory, including animation, 2D and 3D transition effects, embedded music or other audio, or even video embedded in slides. All for free. Most of the presentations and slideshows on PowerShow.com are free to view, many are even free to download. (You can choose whether to allow people to download your original PowerPoint presentations and photo slideshows for a fee or free or not at all.) Check out PowerShow.com today - for FREE. There is truly something for everyone!

presentations for free. Or use it to find and download high-quality how-to PowerPoint ppt presentations with illustrated or animated slides that will teach you how to do something new, also for free. Or use it to upload your own PowerPoint slides so you can share them with your teachers, class, students, bosses, employees, customers, potential investors or the world. Or use it to create really cool photo slideshows - with 2D and 3D transitions, animation, and your choice of music - that you can share with your Facebook friends or Google+ circles. That's all free as well!

For a small fee you can get the industry's best online privacy or publicly promote your presentations and slide shows with top rankings. But aside from that it's free. We'll even convert your presentations and slide shows into the universal Flash format with all their original multimedia glory, including animation, 2D and 3D transition effects, embedded music or other audio, or even video embedded in slides. All for free. Most of the presentations and slideshows on PowerShow.com are free to view, many are even free to download. (You can choose whether to allow people to download your original PowerPoint presentations and photo slideshows for a fee or free or not at all.) Check out PowerShow.com today - for FREE. There is truly something for everyone!